SMB2/3
This section describes the SMB support changes with recent versions of RiOS.
SMB3 support
In RiOS 9.2, enabling SMB3 on a SteelHead also enables support for SMB 3.1.1 to accelerate file sharing among Windows 10 clients to Windows Server 16 or Windows VNext (server). RiOS supports latency and bandwidth optimization for SMB 3.1.1 when SMB2/3 and SMB2 signing is enabled and configured. SMB 3.1.1 adds these encryption and security improvements:
• Encryption - The SMB 3.1.1 encryption ciphers are negotiated per-connection through the negotiate context. Windows 10 now supports the AES-128-CCM cipher in addition to AES-128-GCM for encryption. SMB 3.1.1 can negotiate to AES-128-CCM to support older configurations.
Encryption requires that SMB2 signing is enabled on the server-side SteelHead in NTLM-transparent (preferred) or NTLM-delegation mode, and/or end-to-end Kerberos mode. Domain authentication service accounts must be configured for delegation or replication as needed.
• Preauthentication Integrity - Provides integrity checks for negotiate and session setup phases. The client and server maintain a running hash on all of the messages received until there’s a final session setup response. The hash is used as input to the key derivation function (KDF) for deriving the session secret keys.
• Extensible Negotiation - Detects man-in-the-middle attempts to downgrade the SMB2/3 protocol dialect or capabilities that the SMB client and server negotiate. SMB 3.1.1 dialect extends negotiate request/response through negotiate context to negotiate complex connection capabilities such as the preauthentication hash algorithms and the encryption algorithm.
The server-side SteelHeads must be joined to the domain in Active Directory Integrated Windows 2008 or later.
With the exception of service accounts configuration, you can complete all of the above settings on the server-side SteelHead by using the Configure Domain Auth widget.
In RiOS 9.0 and later, enabling SMB3 on a SteelHead also enables support for the SMB 3.02 dialect introduced by Microsoft in Windows 8.1 and Windows Server 2012 R2. SMB 3.02 is only negotiated when systems of these operating system versions are directly connected. SMB 3.02 is qualified with SMB3.02 signed and unsigned traffic over IPv4 and IPv6, and encrypted connections over IPv4 and IPv6. Authenticated connections between a server-side SteelHead and a domain controller are only supported over IPv4.
RiOS 8.5 and later include support for SMB3 traffic latency and bandwidth optimization for native SMB3 clients and servers.
Windows 8 clients and Windows 2012 servers feature SMB3, an upgrade to the CIFS communication protocol. SMB3 adds features for greater resiliency, scalability, and improved security. SMB3 supports these features:
• Encryption - If the server and client negotiate SMB3 and the server is configured for encryption, all SMB3 packets following the session setup are encrypted on the wire, except for when share-level encryption is configured. Share-level encryption marks a specific share on the server as being encrypted; if a client opens a connection to the server and tries to access the share, the system encrypts the data that goes to that share. The system doesn’t encrypt the data that goes to other shares on the same server.
Encryption requires that you enable SMB signing.
• New Signing Algorithm - SMB3 uses the AES-CMAC algorithm instead of the HMAC-SHA256 algorithm used by SMB2 and enables signing by default.
• Secure Dialect Negotiation - Detects man-in-the-middle attempts to downgrade the SMB2/3 protocol dialect or capabilities that the SMB client and server negotiate. Secure dialect negotiation is enabled by default in Windows 8 and Server 2012. You can use secure dialect negotiation with SMB2 when you are setting up a connection to a server running Server 2008-R2.
SMB 3.0 dialect introduces these enhancements:
– Allows an SMB client to retrieve hashes for a particular region of a file for use in branch cache retrieval, as specified in [MS-PCCRC] section 2.4.
– Allows an SMB client to obtain a lease on a directory.
– Encrypts traffic between the SMB client and server on a per-share basis.
– Uses remote direct memory access (RDMA) transports, when the appropriate hardware and network are available.
– Enhances failover between the SMB client and server, including optional handle persistence.
– Allows an SMB client to bind a session to multiple connections to the server. The system can send a request through any channel associated with the session, and sends the corresponding response through the same channel previously used by the request.
To optimize signed SMB3 traffic, you must run RiOS 8.5 or later and enable SMB3 optimization on the client-side and server-side SteelHeads.
For additional details on SMB 3.0 specifications, go to
SMB2 support
RiOS supports for SMB2 traffic latency optimization for native SMB2 clients and servers. SMB2 allows more efficient access across disparate networks. It is the default mode of communication between Windows Vista and Windows Server 2008. Microsoft modified SMB2 again (to SMB 2.1) for Windows 7 and Windows Server 2008 R2.
SMB2 brought a number of improvements, including but not limited to:
• a vastly reduced set of opcodes (a total of only 18); in contrast, SMB1 has over 70 separate opcodes. Note that use of SMB2 doesn’t result in lost functionality (most of the SMB1 opcodes were redundant).
• general mechanisms for data pipelining and lease-based flow control.
• request compounding, which allows multiple SMB requests to be sent as a single network request.
• larger reads and writes, which provide for more efficient use of networks with high latency.
• caching of folder and file properties, where clients keep local copies of folders and files.
• improved scalability for file sharing (number of users, shares, and open files per server greatly increased).
For details about Protocols SMB2, see the SteelHead User Guide for SteelHead CX.
Optimization
Complete the configuration as described in this table.
Control | Description |
None | Disables SMB2 and SMB3 optimization. |
Enable SMB2 Optimization | Performs SMB2 latency optimization in addition to the existing bandwidth optimization features. These optimizations include cross-connection caching, read-ahead, write-behind, and batch prediction among several other techniques to ensure low-latency transfers. RiOS maintains the data integrity, and the client always receives data directly from the servers. By default, SMB2 optimization is disabled. You must enable (or disable) SMB2 latency optimization on both the client-side and server-side SteelHeads. To enable SMB2, both SteelHeads must be running RiOS 6.5 or later. After enabling SMB2 optimization, you must restart the optimization service. |
Enable SMB3 Optimization | Performs SMB3 latency optimization in addition to the existing bandwidth optimization features. This optimization includes cross-connection caching, read-ahead, write-behind, and batch prediction among several other techniques to ensure low-latency transfers. RiOS maintains the data integrity and the client always receives data directly from the servers. By default, SMB3 optimization is disabled. You must enable (or disable) SMB3 latency optimization on both the client-side and server-side SteelHeads. You must enable SMB2 optimization to optimize SMB3. To enable SMB3, both SteelHeads must be running RiOS 8.5 or later. After enabling SMB3 optimization, you must restart the optimization service. |
Enable DFS Optimization | Enables optimization for Distributed File System (DFS) file shares. You must upgrade both your server-side and client-side SteelHeads to RiOS 9.5 or later to enable DFS optimization. However, this box only needs to be checked on the client-side SteelHead. |
Signing
Complete the configuration as described in this table.
Control | Description |
Enable SMB Signing | Enables CIFS traffic optimization by providing bandwidth optimizations (SDR and LZ), TCP optimizations, and CIFS latency optimizations, even when the CIFS messages are signed. By default, this control is disabled. You must enable this control on the server-side SteelHead. Note: If you enable this control without first joining a Windows domain, a message tells you that the SteelHead must join a domain before it can support SMB signing. |
NTLM Transparent Mode | Provides SMB1 signing with transparent authentication. The server-side SteelHead uses NTLM to authenticate users. We recommend using this mode for the simplest configuration. Transparent mode is the default for RiOS releases 9.6 and later. For Windows 7 and later, we recommend that you also specify Active Directory integrated (Windows 2008 and later) in the Join Account Type drop-down list in the SteelHead Optimization > Active Directory: Domain Join page. For details, see configuring a Windows domain in Domain mode in the SteelHead User Guide. |
NTLM Delegation Mode | Re-signs SMB signed packets using the Kerberos delegation facility. We recommend using transparent mode instead of delegation mode because it is easier to configure and maintain. Delegation mode requires additional configuration. Choose Optimization > Active Directory: Service Accounts or click the link provided in the CIFS Optimization page. |
Enable Kerberos Authentication Support | Provides SMB signing with end-to-end authentication using Kerberos. The server-side SteelHead uses Kerberos to authenticate users. In addition to enabling this feature, you must also join the server-side SteelHead to a Windows domain and add replication users on the Optimization > Active Directory: Auto Config page. The server-side SteelHead must be running RiOS 7.0.x or later. The client-side SteelHead must be running RiOS 5.5 or later. No configuration is needed on the client-side SteelHead. If you want to use password replication policy (PRP) with replication users, Kerberos authentication requires additional replication user configuration on the Windows 2008 Domain Controller. |
Down negotiation
Complete the configuration as described in this table.
Control | Description |
None | Don’t attempt to negotiate the CIFS session down to SMB1. |
SMB2 and SMB3 to SMB1 | Enable this control on the client-side SteelHead. Optimizes connections that are successfully negotiated down to SMB1 according to the settings on the Optimization > Protocols: CIFS (SMB1) page. RiOS bypasses down-negotiation to SMB1 when the client or the server is configured to use only SMB2/3 or the client has already established an SMB2/3 connection with the server. If the client already has a connection with the server, you must restart the client. Down-negotiation can fail if the client only supports SMB2 or if it bypasses negotiation because the system determines that the server supports SMB2. When down-negotiation fails, bandwidth optimization isn’t affected. |